THERE'S BEEN A LOT of hype surrounding the new "e-sign" law (officially known as the Electronic Signature in Global and National Commerce Act), which gives electronic and digital signatures the legal enforceability of handwritten signatures. Whether the law -- which took effect in October 2000 -- ignites an explosion of worry-free online business transactions or lays a minefield of privacy and security traps, one thing is clear: By legitimizing electronic and digital signatures, the federal government has moved e-commerce a step forward and created important choices for CIOs. Perhaps the most important choice CIOs face is whether to use simple electronic signatures or the more secure but more costly digital signatures.

The act, which President Clinton signed in June 2000, gives CIOs a lot of leeway in terms of the electronic-signature technology they can use. It broadly defines an electronic signature as "an electronic sound, symbol or process" executed or adopted with the intent to sign a contract or record, and the law doesn't give examples of specific technologies. Valid electronic signatures might include such things as text blocks at the end of an e-mail, click-through agreements, digitized images of handwritten signatures, user names and passwords, and digital signatures.

Regardless of their legal validity, not all electronic signatures are created equal. The major differentiators are security and authentication. At the low end of the safety spectrum are click-through agreements, plain-text "signatures" (such as a name typed at the end of an e-mail message) and user name/password pairs. These are a lot cheaper than higher-end solutions, but you should weigh cost against the severity of your privacy needs when deciding whether to adopt lower-end solutions or the most secure technology out there: digital signatures. For example, it may not be worth the effort to require a digital signature to download a $20 piece of shareware software, but a digital signature may be perfectly appropriate to control downloads of $500,000 ERP packages.

Why Digital Signatures?

Digital signatures are to ordinary electronic signatures what calculus is to arithmetic. They're much more complex mechanisms that rely on encryption technology to provide a tamper-resistant method of communicating and authenticating documents and signatures. Basically, you "sign" a document by attaching a piece of text encrypted with your private key (a type of encryption password that is matched to a public key that can decrypt what the private key encrypts). The recipient can then authenticate your identity using your public key. If the public key works, the recipient knows that the message must have come from you. An encrypted hash mark (a number generated by mathematically analyzing a document that will change if the document is changed) ensures that the document has in fact been sent without modification. This way, you can't repudiate the document later on, and both you and the recipient face less risk of fraud.

Nonetheless, digital signatures have downsides. One is cost. Digital signatures tend to be complex, expensive and cumbersome to implement, and they often slow down the speed of

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine